Retrieve certificates from 3rd party Certificate Authority

I want to connect to a third-party Certificate Authority inorder to obtain an individual's cerificate based on a search criteria (like email id). I'm looking to download the individual's certificate from the third-party server and use it dynamicaly assuming it is a trusted certificate.I do not want to store the certificate on my local server. The problem here is how do I obtain the third-party(example VeriSign or Microsoft) Caerificate Authority server's hostname and port to retrieve the cerificates.

Reading Sun's tutorial I came up with this...

Did a lot of googling but could not find a satisfactory answer. Perhaps my key-words for the search are wrong, as I am completely new in this. Thanks,

I understand there is a proverbial "chicken and egg" problem here, if I'm reading your design correctly. To address this, your application may support a collection of certificate authorities, and you may iterate through that collection until one of them returns a certificate chain. If your search returns no certificates then the user interface may ask the user which certificate authority holds their certificate.

By far the most manageable way to get a certificate chain from a user, however, is to SSL enable the connection to your site.

K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89

posted Jul 29, 2008 22:49:00

0

The module may support around 3-4 CAs. The search criteria like name and email ID as well as the CAs name will be input to it from a different module. It's like "Get me the cerificate for XYZ issued by Verisign/Microsoft etc from Verisign/Microsoft CA at the click of a button."

By far the most manageable way to get a certificate chain from a user, however, is to SSL enable the connection to your site.

I know SSL theoretically but lack experience of practical application. But wouldn't using SSL be more than necessary because cerificates can be viewed by anybody.I just want to retrieve them.Will I have to validate them? Thanks,

Set Cruz
Greenhorn

Joined: Jan 31, 2008
Posts: 26

posted Jul 30, 2008 09:13:00

0

I suggest you validate and verify certificate chains. What do you plan to do with the certificates once you retrieve them?

K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89

posted Jul 30, 2008 23:21:00

0

Perhaps I am asking naive question but why would I want to validate and verify certificates if I want to just store them on my card which is just a storage space?

Set Cruz
Greenhorn

Joined: Jan 31, 2008
Posts: 26

posted Jul 31, 2008 06:26:00

0

Imagine somebody wants to exploit your system. They may hijack your query for a user certificate and return a fairly large binary query result. But you are not validating or verifying so you max out the "storage space", card, etc. From then on, depending on your system, of which I'm just barely learning some details, you may have an availability problem.

K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89

posted Jul 31, 2008 23:21:00

0

Ok. I see the point.Thanks for the reply. I will get back to you after doing some more research.

K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89

posted Aug 05, 2008 23:32:00

0

After thinking over and doing some reading I would like to rephrase my question.I would like to retrieve a user certificate from a third-party CA.For this I require an access point of the CA so that I can query the CA for user certificates according to the search criteria. By the way, by access point I mean CA server LDAP name or a url etc. where certificates are stored. I thought that the CA would provide me with an access point or something when I am granted a certificate after a CSR. But I did not recieve anything of such sort. Now how am I to retrieve it from CA using a java code?

Information published in the repository portion of the VeriSign web site is publicly-accessible information. Read only access to such information is unrestricted. VeriSign requires persons to agree to a Relying Party Agreement or CRL Usage Agreement as a condition to accessing Certificates, Certificate status information, or CRLs.

This page provides the Relying Party Agreement. Further, I believe VeriSign provides a page where one can search for digital certificates issued by VeriSign. Am I on right track? Can this be used to programmatically retrieve the certificates?

greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220

posted Aug 07, 2008 18:16:00

0

well, I was wrong. I don't of any other interfaces besides the web one you found, and I don't know about other CAs either.